Wave Systems Corp. (fka WAVXQ)

[Genz2]

NIST makes ‘major’ changes to mobile device security guidelines

https://www.fedscoop.com/nist-mobile-device-security-guidelines/

That the National Institute of Standards and Technology released its revised mobile device security guidelines during a time of increased telework is purely coincidental — but also fortuitous.

The guidelines hadn’t been updated since 2013, and much has changed across the enterprise mobile device landscape in those seven years, Gema Howell, IT security engineer at NIST, told FedScoop.

Howell and her fellow authors began the revision process at the end of 2018, keeping the draft document’s structure largely the same: mobile device characteristics, threats, security tools, and deployment lifecycle.

“This is really focused on device-side threats, considerations and things you can do on the device,” Howell said. “What we want folks to be aware of are the many changes in the industry and the solutions available to them to help secure their mobile devices that are being used during this telework time to access their enterprise resources.”

The authors made “major” changes to the threat landscape section, mapping high-level threats to NIST’s Mobile Threat Catalogue while also addressing privacy implications, Howell said.

Mobile applications are increasingly problematic because they can allow adversaries attack vectors to sensitive information, especially the more apps there are on a device, she added.

Authors also addressed how mobile authentication is no longer simply a four-digit personal identification number but can involve biometrics that users might not even be aware exist.

More nuances to device deployment

The guidelines also include a more detailed outline of the mobile device deployment lifecycle:

• Identifying mobile requirements, which now involves choosing a use case.
• Reviewing inventory.
• Picking a deployment model — enterprise use only or bring-your-own-device.
• Selecting Android, iOS or both.
• Determining the needed security tools.

“The previous document focused a lot on one particular technology that was available back then, which was a mobile device management solution (MDMS),” Howell said. “Today we have a lot more options.”

MDMS may be referred to as “enterprise mobility management solutions” now. And there is also the mobile application vetting service, which monitors apps for risky behavior, and mobile threat defense, which informs the user of device-, app- or network-based threats.

NIST also added a second step to the mobile device deployment lifecycle: performing a risk assessment.

The draft document is open to public comment through June 26, 2020, after which NIST will review feedback and update the guidelines before releasing either a second or final version.

Initial feedback has largely been positive with requests for minor edits and the inclusion of related topics like how mobile devices connect to zero-trust networks, Howell said.

“So far, with the feedback that we’ve received, it seems it will go final,” she said. “But it’s hard to tell because we’re still in the beginning stages of the public comment period.”
==================================================================
Wave Joins ARM TrustZone Ready Program

Committed to Helping Chip Manufacturers Implement Industry Standard Security for Mobile Platforms

https://www.wavesys.com/buzz/pr/wave-joins-arm-trustzone-ready-program

Lee, MA -

September 26, 2012 -

Wave Systems Corp. (NASDAQ:WAVX) today announced that it has joined the ARM TrustZone® Ready Enablement Program to provide support and infrastructure for implementing enterprise security capabilities in mobile devices. As a partner in the program, Wave joins other industry leaders in helping chip manufacturers design and implement new industry standard security capabilities within ARM’s TrustZone architecture to enable full cross-platform interoperability across PCs, tablets, smartphones and other mobile devices.

TrustZone Technology (developed by ARM, the world’s leading semiconductor IP supplier) is a System-on-Chip security concept that involves a hardware-isolated space for a Trusted Execution Environment (TEE). Once integrated, core security services such as cryptography, storage and user interfaces can enable services to be deployed with a new level of security and convenience.

The primary goal of ARM's TrustZone Ready enablement program is to guide chip and device manufacturers to design robust, industry-certified security architecture into their products that will meet the needs of service providers looking to deploy secure services on secured platforms. Companies that implement system-wide security into their platforms can benefit from this program through a cohesive set of design blueprints, market requirements, and checklists aligned with industry standards.

“Smart phones, tablets and other devices are essential for today’s enterprise, and require access to sensitive applications and data. While these devices have excellent security for the mobile operator’s services, they lack basic security for use within an enterprise network,” commented Steven Sprague, Wave’s CEO. “ARM, with the TrustZone Ready Program, is taking the lead in making sure that standards-based security implemented in the TrustZone Trusted Execution Environment (TEE) is integrated into chipsets for mobile devices. Wave is committed to sharing its expertise in Trusted Platform Module (TPM) implementations, application development and trust infrastructure support.”

“Wave’s infrastructure for managing TPM and TPM-mobile-enabled devices will allow enterprise users to exploit the full capabilities of Trusted Computing Group standards across multiple device types,” added Jon Geater, Director of Technology for ARM Secure Services Division and Board Representative of ARM at GlobalPlatform. “ARM welcomes Wave into the TrustZone Ready Program as a valuable partner that will bring secure enterprise services to TrustZone secured devices running GlobalPlatform Trusted Execution Environments.”

Eliminating passwords, Providing Health Measurements for mobile devices

The TPM, shipped on more than half a billion PCs, is a cryptographic component built on specifications from the Trusted Computing Group. The TPM brings strong, enterprise-grade security features to consumer devices that are widely deployed in enterprise networks. The TPM for mobile devices is uniquely designed to support the security needs of multiple stakeholders, allowing enterprises to provide strong security in end-user applications, satisfy the security requirements of third-party application developers, and support other parties.

With a TPM Mobile implemented within the hardware-based security boundaries of ARM’s TrustZone and protected by a full function Trusted Execution Environment, enterprises will be able to take advantage of the strong security of the TPM in the following ways:
• Protect corporate devices and user identities
• Measure and attest to the integrity and health of the mobile device
• Implement secure network access
• Provide secure messaging for corporate traffic
• Reduce the need for user passwords, with reliance on the device itself as a strong authentication token for access to services and data, including cloud-based functions.
• Offer central control over devices which are lost or stolen to protect sensitive data

Increased emphasis on trusted computing is driving the security industry toward hardware-based technologies that offer improved access control, encryption, and the early detection of malware. With Wave’s industry-leading trusted computing solutions, customers are empowered to secure endpoint data, protect data-in-motion and ensure that only trusted devices gain access to the enterprise network. Wave’s solution will provide enterprises with cross-platform interoperability between PCs and mobile devices for trusted computing-based functions and applications.
=================================================================
AN IDEA WHOSE TIME HAS COME!!! Wave could play a big role in the flourishing of real mobile security!!!